Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package libsoup2 for openSUSE:Factory checked in at 2025-04-23 15:18:06 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libsoup2 (Old) and /work/SRC/openSUSE:Factory/.libsoup2.new.30101 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libsoup2" Wed Apr 23 15:18:06 2025 rev:12 rq:1271339 version:2.74.3 Changes: -------- --- /work/SRC/openSUSE:Factory/libsoup2/libsoup2.changes 2025-04-08 17:51:23.630904828 +0200 +++ /work/SRC/openSUSE:Factory/.libsoup2.new.30101/libsoup2.changes 2025-04-23 15:18:08.695122574 +0200 @@ -1,0 +2,10 @@ +Fri Apr 18 21:38:24 UTC 2025 - Michael Gorse <mgo...@suse.com> + +- Add more CVE fixes: + + ef6c4bf6.patch (boo#1240750 CVE-2025-2784) + + 96c22b67.patch (boo#1240750 CVE-2025-2784) + + 19124679.patch (boo#1240752 CVE-2025-32050) + + a5b86bfc.patch (boo#1240756 CVE-2025-32052) + + 5739a090.patch (boo#1240757 CVE-2025-32053) + +------------------------------------------------------------------- New: ---- 19124679.patch 5739a090.patch 96c22b67.patch a5b86bfc.patch ef6c4bf6.patch BETA DEBUG BEGIN: New: + 96c22b67.patch (boo#1240750 CVE-2025-2784) + 19124679.patch (boo#1240752 CVE-2025-32050) + a5b86bfc.patch (boo#1240756 CVE-2025-32052) New: + a5b86bfc.patch (boo#1240756 CVE-2025-32052) + 5739a090.patch (boo#1240757 CVE-2025-32053) New: + ef6c4bf6.patch (boo#1240750 CVE-2025-2784) + 96c22b67.patch (boo#1240750 CVE-2025-2784) + 19124679.patch (boo#1240752 CVE-2025-32050) New: + 19124679.patch (boo#1240752 CVE-2025-32050) + a5b86bfc.patch (boo#1240756 CVE-2025-32052) + 5739a090.patch (boo#1240757 CVE-2025-32053) New:- Add more CVE fixes: + ef6c4bf6.patch (boo#1240750 CVE-2025-2784) + 96c22b67.patch (boo#1240750 CVE-2025-2784) BETA DEBUG END: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libsoup2.spec ++++++ --- /var/tmp/diff_new_pack.grqifx/_old 2025-04-23 15:18:09.471155032 +0200 +++ /var/tmp/diff_new_pack.grqifx/_new 2025-04-23 15:18:09.471155032 +0200 @@ -1,7 +1,7 @@ # # spec file for package libsoup2 # -# Copyright (c) 2024 SUSE LLC +# Copyright (c) 2025 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -46,6 +46,16 @@ Patch9: https://gitlab.gnome.org/GNOME/libsoup/-/commit/a35222dd.patch # PATCH-FIX-UPSTREAM 4c9e75c6.patch boo#1233287 mgo...@suse.com -- fix an intermittent test failure. Patch10: https://gitlab.gnome.org/GNOME/libsoup/-/commit/4c9e75c6.patch +# PATCH-FIX-UPSTREAM ef6c4bf6.patch boo#1240750 mgo...@suse.com -- fix a potential overflow. +Patch11: https://gitlab.gnome.org/GNOME/libsoup/-/commit/ef6c4bf6.patch +# PATCH-FIX-UPSTREAM 96c22b67.patch boo#1240750 mgo...@suse.com -- add better coverage of skip_insignificant_space. +Patch12: https://gitlab.gnome.org/GNOME/libsoup/-/commit/96c22b67.patch +# PATCH-FIX-UPSTREAM 19124679.patch boo#1240752 mgo...@suse.com -- Fix using int instead of size_t for strcspn return. +Patch13: https://gitlab.gnome.org/GNOME/libsoup/-/commit/19124679.patch +# PATCH-FIX-UPSTREAM a5b86bfc.patch boo#1240756 mgo...@suse.com -- fix heap buffer overflow in soup_content_sniffer_sniff. +Patch14: https://gitlab.gnome.org/GNOME/libsoup/-/commit/a5b86bfc.patch +# PATCH-FIX-UPSTREAM 5739a090.patch boo#1240757 mgo...@suse.com -- fix heap buffer overflow in soup_content_sniffer.c:sniff_feed_or_html +Patch15: https://gitlab.gnome.org/GNOME/libsoup/-/commit/5739a090.patch BuildRequires: glib-networking BuildRequires: meson >= 0.50 ++++++ 19124679.patch ++++++ >From 1912467968aabbf76287e639aa254751b00c0a2a Mon Sep 17 00:00:00 2001 From: Patrick Griffis <pgrif...@igalia.com> Date: Mon, 28 Oct 2024 12:29:48 -0500 Subject: [PATCH] Fix using int instead of size_t for strcspn return CVE-2025-32050 --- libsoup/soup-headers.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c index 2d287fc2..cc481cfa 100644 --- a/libsoup/soup-headers.c +++ b/libsoup/soup-headers.c @@ -905,7 +905,7 @@ append_param_quoted (GString *string, const char *name, const char *value) { - int len; + gsize len; g_string_append (string, name); g_string_append (string, "=\""); -- GitLab ++++++ 5739a090.patch ++++++ >From 5739a090529209c2afc13f482256573bcd9ce940 Mon Sep 17 00:00:00 2001 From: Ar Jun <pkillar...@protonmail.com> Date: Mon, 18 Nov 2024 14:59:51 -0600 Subject: [PATCH] Fix heap buffer overflow in soup-content-sniffer.c:sniff_feed_or_html() CVE-2025-32053 --- libsoup/soup-content-sniffer.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libsoup/soup-content-sniffer.c b/libsoup/soup-content-sniffer.c index 744f48a0..3fb29adf 100644 --- a/libsoup/soup-content-sniffer.c +++ b/libsoup/soup-content-sniffer.c @@ -623,7 +623,7 @@ skip_insignificant_space (const char *resource, gsize *pos, gsize resource_lengt (resource[*pos] == '\x0D')) { *pos = *pos + 1; - if (*pos > resource_length) + if (*pos >= resource_length) return TRUE; } @@ -682,7 +682,7 @@ sniff_feed_or_html (SoupContentSniffer *sniffer, SoupBuffer *buffer) do { pos++; - if (pos > resource_length) + if ((pos + 1) > resource_length) goto text_html; } while (resource[pos] != '>'); -- GitLab ++++++ 96c22b67.patch ++++++ >From 96c22b67345d3ab9cc431e551ec6aef767212af5 Mon Sep 17 00:00:00 2001 From: Patrick Griffis <pgrif...@igalia.com> Date: Tue, 18 Feb 2025 14:29:50 -0600 Subject: [PATCH] sniffer: Add better coverage of skip_insignificant_space() CVE-2025-2784 --- libsoup/soup-content-sniffer.c | 10 +++---- tests/sniffing-test.c | 53 ++++++++++++++++++++++++++++++---- tests/soup-tests.gresource.xml | 1 - 3 files changed, 53 insertions(+), 11 deletions(-) diff --git a/libsoup/soup-content-sniffer.c b/libsoup/soup-content-sniffer.c index 4c8134a7f..7669c6385 100644 --- a/libsoup/soup-content-sniffer.c +++ b/libsoup/soup-content-sniffer.c @@ -612,8 +612,11 @@ sniff_text_or_binary (SoupContentSniffer *sniffer, SoupBuffer *buffer) } static gboolean -skip_insignificant_space (const char *resource, int *pos, int resource_length) +skip_insignificant_space (const char *resource, gsize *pos, gsize resource_length) { + if (*pos >= resource_length) + return TRUE; + while ((resource[*pos] == '\x09') || (resource[*pos] == '\x20') || (resource[*pos] == '\x0A') || @@ -632,7 +635,7 @@ sniff_feed_or_html (SoupContentSniffer *sniffer, SoupBuffer *buffer) { const char *resource = (const char *)buffer->data; int resource_length = MIN (512, buffer->length); - int pos = 0; + gsize pos = 0; if (resource_length < 3) goto text_html; @@ -642,9 +645,6 @@ sniff_feed_or_html (SoupContentSniffer *sniffer, SoupBuffer *buffer) pos = 3; look_for_tag: - if (pos >= resource_length) - goto text_html; - if (skip_insignificant_space (resource, &pos, resource_length)) goto text_html; diff --git a/tests/sniffing-test.c b/tests/sniffing-test.c index 0a4569a43..372b659e1 100644 --- a/tests/sniffing-test.c +++ b/tests/sniffing-test.c @@ -436,6 +436,52 @@ test_disabled (gconstpointer data) soup_uri_free (uri); } +static const gsize MARKUP_LENGTH = strlen ("<!--") + strlen ("-->"); + +static void +do_skip_whitespace_test (void) +{ + SoupContentSniffer *sniffer = soup_content_sniffer_new (); + SoupMessage *msg = soup_message_new (SOUP_METHOD_GET, "http://example.org";); + const char *test_cases[] = { + "", + "<rdf:RDF", + "<rdf:RDFxmlns:rdf=\"http://www.w3.org/1999/02/22-rdf-syntax-ns#\"";, + "<rdf:RDFxmlns=\"http://purl.org/rss/1.0/\"";, + }; + + soup_message_headers_set_content_type (msg->response_headers, "text/html", NULL); + + for (guint i = 0; i < G_N_ELEMENTS (test_cases); i++) { + const char *trailing_data = test_cases[i]; + gsize leading_zeros = 512 - MARKUP_LENGTH - strlen (trailing_data); + gsize testsize = MARKUP_LENGTH + leading_zeros + strlen (trailing_data); + guint8 *data = g_malloc0 (testsize); + guint8 *p = data; + char *content_type; + GBytes *buffer; + + // Format of <!--[0x00 * $leading_zeros]-->$trailing_data + memcpy (p, "<!--", strlen ("<!--")); + p += strlen ("<!--"); + p += leading_zeros; + memcpy (p, "-->", strlen ("-->")); + p += strlen ("-->"); + if (strlen (trailing_data)) + memcpy (p, trailing_data, strlen (trailing_data)); + // Purposefully not NUL terminated. + + buffer = g_bytes_new_take (g_steal_pointer (&data), testsize); + content_type = soup_content_sniffer_sniff (sniffer, msg, (SoupBuffer *) buffer, NULL); + + g_free (content_type); + g_bytes_unref (buffer); + } + + g_object_unref (msg); + g_object_unref (sniffer); +} + int main (int argc, char **argv) { @@ -605,16 +651,13 @@ main (int argc, char **argv) "type/text_html; charset=UTF-8/test.html => text/html; charset=UTF-8", do_sniffing_test); - /* Test hitting skip_insignificant_space() with number of bytes equaling resource_length. */ - g_test_add_data_func ("/sniffing/whitespace", - "type/text_html/whitespace.html => text/html", - do_sniffing_test); - /* Test that disabling the sniffer works correctly */ g_test_add_data_func ("/sniffing/disabled", "/text_or_binary/home.gif", test_disabled); + g_test_add_func ("/sniffing/whitespace", do_skip_whitespace_test); + ret = g_test_run (); soup_uri_free (base_uri); diff --git a/tests/soup-tests.gresource.xml b/tests/soup-tests.gresource.xml index cbef1d402..9c08d170e 100644 --- a/tests/soup-tests.gresource.xml +++ b/tests/soup-tests.gresource.xml @@ -25,6 +25,5 @@ <file>resources/text.txt</file> <file>resources/text_binary.txt</file> <file>resources/tux.webp</file> - <file>resources/whitespace.html</file> </gresource> </gresources> -- GitLab ++++++ a5b86bfc.patch ++++++ >From a5b86bfc9405e01f12a975ae6898b1ce6a870e11 Mon Sep 17 00:00:00 2001 From: Patrick Griffis <pgrif...@igalia.com> Date: Sat, 16 Nov 2024 12:07:30 -0600 Subject: [PATCH] Fix heap buffer overflow in soup_content_sniffer_sniff Co-Author: Ar Jun <pkillar...@protonmail.com> CVE-2025-32052 --- libsoup/soup-content-sniffer.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libsoup/soup-content-sniffer.c b/libsoup/soup-content-sniffer.c index 7669c638..744f48a0 100644 --- a/libsoup/soup-content-sniffer.c +++ b/libsoup/soup-content-sniffer.c @@ -504,7 +504,7 @@ sniff_unknown (SoupContentSniffer *sniffer, SoupBuffer *buffer, guint index_pattern = 0; gboolean skip_row = FALSE; - while ((index_stream < resource_length) && + while ((index_stream < resource_length - 1) && (index_pattern <= type_row->pattern_length)) { /* Skip insignificant white space ("WS" in the spec) */ if (type_row->pattern[index_pattern] == ' ') { -- GitLab ++++++ ef6c4bf6.patch ++++++ >From ef6c4bf664d22fae0b9a96b6f4778bb4b24d1aca Mon Sep 17 00:00:00 2001 From: Patrick Griffis <pgrif...@igalia.com> Date: Wed, 5 Feb 2025 14:39:42 -0600 Subject: [PATCH] sniffer: Fix potential overflow CVE-2025-2784 --- libsoup/soup-content-sniffer.c | 2 +- tests/sniffing-test.c | 5 +++++ tests/soup-tests.gresource.xml | 1 + 3 files changed, 7 insertions(+), 1 deletion(-) diff --git a/libsoup/soup-content-sniffer.c b/libsoup/soup-content-sniffer.c index 967ec6141..4c8134a7f 100644 --- a/libsoup/soup-content-sniffer.c +++ b/libsoup/soup-content-sniffer.c @@ -642,7 +642,7 @@ sniff_feed_or_html (SoupContentSniffer *sniffer, SoupBuffer *buffer) pos = 3; look_for_tag: - if (pos > resource_length) + if (pos >= resource_length) goto text_html; if (skip_insignificant_space (resource, &pos, resource_length)) diff --git a/tests/sniffing-test.c b/tests/sniffing-test.c index d2aa86b9d..0a4569a43 100644 --- a/tests/sniffing-test.c +++ b/tests/sniffing-test.c @@ -605,6 +605,11 @@ main (int argc, char **argv) "type/text_html; charset=UTF-8/test.html => text/html; charset=UTF-8", do_sniffing_test); + /* Test hitting skip_insignificant_space() with number of bytes equaling resource_length. */ + g_test_add_data_func ("/sniffing/whitespace", + "type/text_html/whitespace.html => text/html", + do_sniffing_test); + /* Test that disabling the sniffer works correctly */ g_test_add_data_func ("/sniffing/disabled", "/text_or_binary/home.gif", diff --git a/tests/soup-tests.gresource.xml b/tests/soup-tests.gresource.xml index 9c08d170e..cbef1d402 100644 --- a/tests/soup-tests.gresource.xml +++ b/tests/soup-tests.gresource.xml @@ -25,5 +25,6 @@ <file>resources/text.txt</file> <file>resources/text_binary.txt</file> <file>resources/tux.webp</file> + <file>resources/whitespace.html</file> </gresource> </gresources> -- GitLab
